Server-Side Request Forgery in Backstage Auth Plugin
CVE-2026-32236

NONE

Key Information:

Vendor: @backstage
Status: Plugin-auth-backend
Vendor: CVE Published:; 12 March 2026

What is CVE-2026-32236?

A Server-Side Request Forgery vulnerability was identified in the @backstage/plugin-auth-backend prior to version 0.27.1. This flaw occurs when the configuration setting 'auth.experimentalClientIdMetadataDocuments.enabled' is enabled. The vulnerability permits an attacker to exploit the CIMD metadata fetching logic, which initially validates the client_id hostname against private IP ranges but fails to enforce this validation post-HTTP redirects. Although the practical impact is limited—since the attacker cannot read the internal request's response body, manipulate request headers, or change the request method—the feature requires explicit activation and, by default, is off. Deployments that restrict allowedClientIdPatterns to trusted domains remain unaffected. Users are advised to upgrade to version 0.27.1 or later to mitigate this risk.

Affected Version(s)

plugin-auth-backend < 0.27.1

References

https://github.com/backstage/backstage/security/advisorie...

x_refsource_CONFIRM

https://github.com/backstage/backstage/commit/17038abf2df...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

NONE

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 12, 2026
Vulnerability Reserved
Mar 11, 2026

CVE-2026-32236 Data

JSON